HOME   Cart(0)   Quotation   About-Us Tax PDFs Standard-List Powered by Google www.ChineseStandard.net Database: 189760 (11 Jan 2025)

GB/T 22081-2016 (GB/T 22081-2024 Newer Version) PDF English


Search result: GB/T 22081-2016 (GB/T 22081-2024 Newer Version)
Standard IDContents [version]USDSTEP2[PDF] delivered inName of Chinese StandardStatus
GB/T 22081-2024English3074 Add to Cart 13 days Cybersecurity technology - Information security controls Valid
GB/T 22081-2016English370 Add to Cart 0-9 seconds. Auto-delivery. Information technology -- Security techniques -- Code of practice for information security controls Valid
GB/T 22081-2008EnglishRFQ ASK 8 days Information technology -- Security techniques -- Code of practice for information security management Obsolete
BUY with any currencies (Euro, JPY, GBP, KRW etc.): GB/T 22081-2024     Newer version: GB/T 22081-2024

PDF Preview: GB/T 22081-2016


GB/T 22081-2016: PDF in English (GBT 22081-2016)

GB/T 22081-2016 Information technology - Security techniques - Code of practice for information security controls ICS 35.040 L80 National Standards of People's Republic of China Replacing GB/T 22081-2008 Information Technology Security Technology Information Security Control Practice Guide (ISO /IEC 27002..2013, IDT) 2016-08-29 released 2017-03-01 Implementation General Administration of Quality Supervision, Inspection and Quarantine of People's Republic of China China National Standardization Administration released Directory Foreword Ⅲ Introduction IV 0.1 Background and Environment Ⅳ 0.2 Information Security Requirements Ⅳ 0.3 Control Selection Ⅴ 0.4 Preparation of the organization's own guidelines Ⅴ 0.5 life cycle considerations Ⅴ 0.6 Relevant standard Ⅴ 1 range 1 2 Normative references 1 3 Terms and definitions 1 4 standard structure Section 4.1 4.2 Control Category 1 5 Information Security Strategy 2 5.1 Information Security Management Guide 2 Information Security Organization 3 6.1 Internal Organization 3 6.2 Mobile Devices and Remote Work 5 7 Human Resources Security 7 7.1 Before Appointment 7.2 Appointment 8 7.3 Termination and Change of Appointments Asset Management 10 8.1 Responsibilities relating to assets 10 8.2 Information Classification 11 8.3 Media Handling 13 Access Control 9.1 Access Control Business Requirements 14 9.2 User Access Management 15 9.3 User Responsibilities 18 9.4 System and Application Access Control 19 10 password 21 10.1 Password Control 21 Physical and Environmental Safety 23 11.1 Safety Zone 23 11.2 Equipment 25 12 Operational safety 28 12.1 Operational Procedures and Responsibilities 12.2 Malware Prevention 30 12.3 Backup 31 12.4 Logs and Surveillance 32 12.5 Running Software Control 34 12.6 Technical Vulnerability Management 34 12.7 Information System Audit Considerations 36 Communication Security 36 13.1 Network Security Management 13.2 Information Transmission 38 System Acquisition, Development and Maintenance 40 14.1 Information System Security Requirements 40 14.2 Security During Development and Support 42 14.3 Test Data 45 Supplier Relations 46 15.1 Information Security in Supplier Relationships 46 15.2 Supplier Service Delivery Management 48 Information Security Incident Management 49 16.1 Management and Improvement of Information Security Incidents 49 Information security aspects of business continuity management 52 17.1 Continuity of Information Security 52 17.2 Redundancy 54 Compliance 54 18.1 Compliance with law and contractual requirements 54 18.2 Information Security Review 56 References 65 Foreword This standard was drafted in accordance with the rules given in GB/T 1.1-2009. This standard replaces GB/T 22081-2008 "Information Technology Security Information Security Management Practical Rules." This standard compared with GB/T 22081-2008, the main technical changes are as follows. --- Structural changes in Appendix NA; --- The term changes in Appendix NB. This standard uses the translation method identical with ISO /IEC 27002..2013 "Information Technology Security Technology Information Security Control Practices South "and its corresponding technical corrigendum (ISO /IEC 27002..2013/COR1..2014). The documents of our country that are consistent with the corresponding international documents that are normative references in this standard are as follows. --- GB/T 29246-2012 Information Technology Security Technology Information Security Management System Overview and Glossary (ISO /IEC 27000. 2009, IDT). This standard made the following editorial changes. --- Increased information appendix NA; --- Added information appendix NB. Please note that some of this document may be patentable. The issuing agencies of this document do not bear the responsibility of identifying these patents. This standard by the National Information Security Standardization Technical Committee (SAC/TC260) and focal point. This standard was drafted. China Electronics Standardization Institute, CLP Great Wall Internet System Application Co., Ltd., China Information Security Card Center, Shandong Provincial Institute of Standardization, Guangzhou 赛 Po Certification Center Services Ltd., Beijing Jiangnan Tian An Technology Co., Ltd., Shanghai three zero Guardian Information Security Co., Ltd., China National Accreditation Service for Conformity Assessment, Beijing Sunway Information Technology Co., Ltd., Heilongjiang E-mail Products Surveillance and Inspection Institute, Zhejiang Yuanwang Electronics Co., Ltd., Hangzhou letter Technology Co., Ltd. The main drafters of this standard. Xu Yuna, Shanggong Xiaoli, Min Jinghua, in particular, the public, Lu Lvwen, Ni Wenjing, Wang Lianqiang, Yu Jingtao, Fu Zhi Gao, Zhao Yingqing, Lu Pu Ming, Wang Shuguang, Yu Zhonghua, Han Shuoxiang, Wei Jun, Cheng Yuqi, Kong Xianglin, Wu Minhua, Li Hua, Li Yang. This standard replaces the standards previously issued as follows. --- GB/T 22081-2008. introduction 0.1 background and environment This standard can be used as an organization's reference when choosing control in the process of information security management system (ISMS) based on GB/T 22080 [10] Or as a guide to organizations in implementing universal information security controls. After considering the specific information security risk environment, this standard can also be used for the system Guide to information security management for specific industries and specific organizations. Organizations of all types and sizes (including the public and private sectors, business organizations, non-profit organizations) collect, process, store and disseminate Input includes various forms of information such as electronic, physical and speech (eg, talks and speeches). The value of information transcends words, numbers, and images themselves. For example, knowledge, concepts, opinions, and brands are all intangibles. In the world of interconnection For the organization of business, information and related processes, systems, networks, and the personnel involved in its operations, handling and protection activities are all capital Production, like other important business assets, is crucial to the business of the organization and therefore worth or needed to be protected against all hazards. Assets are subject to both deliberate and accidental threats; and the associated processes, systems, networks and personnel are inherently vulnerable. Business process and System changes or other external changes (such as new laws and regulations) may create new information security risks. Therefore, taking into account the threat of the use of crisp Weaknesses damage the organization a variety of ways, the risk of information security has always existed. Effective information security enables groups through prevention of threats and vulnerabilities Weaves are protected to reduce risk, thereby reducing the impact on their assets. Information security can be achieved by implementing a set of appropriate controls, including policies, procedures, procedures, organizational structure, and hardware and software capabilities. If necessary Establish, implement, monitor, review, and improve these controls to ensure they meet the organization's specific safety and business objectives. GB/T 22080 [10] The prescribed ISMS takes an overall, coordinated view of the organization's information security risk so that it can be implemented within the overall framework of a consistent management system Now a comprehensive set of information security control. From the perspective of GB/T 22080 [10] and this standard, many information systems are not designed to be safe. Available through technical means Security is limited and should be supported through appropriate management and procedures. Determine what controls should exist, which requires careful planning and careful attention Festival. A successful information security management system needs the support of all employees within the organization, the shareholders, suppliers or other external parties Participation also requires expert advice from outside parties. More generally, effective information security also assures managers and other stakeholders that the organization's assets are reasonably secure and subject to Until protection is not compromised, its role is the same as business enabler. 0.2 Information Security Requirements It is necessary for the organization to identify its safety requirements. The three main sources of safety requirements are. a) Assess organizational risk by considering the overall business strategy and objectives of the organization. Through risk assessment, identify the threats to the assets, Assess the vulnerability of vulnerable applications and the likelihood of their occurrence, and estimate the potential impact; b) the laws, regulations, rules and regulations and contractual requirements that the organization and its trading partners, contractors and service providers must meet, and his Their social and cultural environment; c) Principles, objectives and business requirements established by the organization to support its operations, its handling, handling, storage, communication and archiving of information. The resources used to control it must be weighed against the security issues resulting from the lack of these controls and the potential business hazards. wind The results of the risk assessment will help to guide and identify appropriate management measures, prioritization of information security risk management, and prevention of these risks The priority of the selected control. ISO /IEC 27005 [11] provides information security risk management guidelines, including risk assessment, risk management, risk acceptance, risk communication, Risk monitoring and risk assessment of all aspects of the proposal. 0.3 control of choice Controls may be selected from this or other control sets or, where appropriate, new controls designed for specific needs. The choice of control depends on the organization's decision making, which is based on the risk acceptance criteria, the risk options, the generic risk management used by the organization Method; the choice of control must also comply with all relevant national laws and regulations. The choice of control at the same time also depends on how the interaction is controlled For defense in depth. Some of the controls in this standard can be used as guidelines for information security management and can be used by most organizations. At each control Under, gives its detailed implementation guide. See the disposal options for more detailed information on selection controls and other risks ISO /IEC 27005 [11]. 0.4 Compile the organization's own guidelines This standard serves as a starting point for organizations to develop their own specific guidelines. For an organization, the controls and guidelines in this standard are not all suitable use. In addition, may also need to add some does not included in the standard control and guidance. When developing contains some added controls and guidelines It may be useful to give some cross-references to the clauses of this standard when it comes to organizational documentation to support auditors and business partners Compliance check. 0.5 life cycle considerations Information has its inherent life cycle, from its creation and generation, to its final destruction or disappearance through storage, processing, use and transmission. The value of information assets and the risks they face may change over their lifecycle (eg, theft of a company's accounts after their official publication And the harm caused by unauthorized leaks will be greatly reduced), there is a certain degree of importance of information security at all stages. The life cycle of an information system includes the concept, protocol, design, development, testing, implementation, use, maintenance, and eventual decommissioning and destruction. In every One phase should take into account the information security. Information security should be considered at each stage. Develop new systems or make changes to existing systems, This provides an opportunity for organizations to upgrade and improve security controls, taking into account actual security incidents and current and projected information security risks. 0.6 related standards This standard provides a corresponding guideline for a wide range of information security control sets common to different organizations; and information security management Other standards in the family of standards provide additional advice or requirements on other aspects of the overall management of information security. For a general introduction to the standards for information security management systems, see ISO /IEC 27000. The glossary provided in ISO /IEC 27000 was finalized Most of the terms used in information security management system standards describe the scope and goals of each standard. Information Technology Security Technology Information Security Control Practice Guide 1 Scope This standard provides guidelines for the organization's information security standards and information security management practices, including the organization of information security risk ring Environment control of the choice, implementation and management. This standard is designed to organize. a) Selection control, that is, selection control based on GB/T 22080 [10] in the process of implementing an information security management system; b) to achieve universal, acceptable information security control; c) Develop an organization's own guidance on information security management. 2 Normative references The following documents for the application of this document is essential. For dated references, only the dated version applies to this article Pieces. For undated references, the latest edition (including all amendments) applies to this document. ISO /IEC 27000 information technology security technology information security management system overview and vocabulary (Informationtechnology- Security technologies - Information security systems systems - Overview and vocabulary. 3 Terms and definitions ISO /IEC 27000 defined terms and definitions apply to this document. 4 standard structure This standard includes 14 safety control chapters, contains a total of 35 major safety categories and 114 controls. Section 4.1 Define each chapter of safety controls, containing one or more major safety categories. The order of the chapters in this standard does not indicate its importance. Depending on the circumstances, safety control in any or all sections is possible Is important, so every organization that applies this standard should identify the controls that are applicable, how important these controls are, and how they are used To each business process. In addition, the list of this standard has no priority. 4.2 Control Category Each of the major safety control categories includes. a) a control goal that states what is to be achieved; b) One or more controls that can be used to achieve this control objective. The description of the control structure is as follows. control To meet the control objectives, give a statement that defines a specific control. Realize the guide To support the realization of this control and meet the control objectives, provide more detailed information. This guide may not be entirely applicable or inadequate In all cases, it may or may not meet the organization's specific control requirements. other information Provide further information to consider, such as legal considerations and references to other standards. If there is no other information, this will be Not given. 5 information security strategy 5.1 Information Security Management Guidance Goals. Based on business requirements and relevant laws and regulations, provide management guidance and support for information security. 5.1.1 Information Security Policy control Information security policy sets should be defined, approved by the manager, and published, communicated to all employees and external parties. Realize the guide At the highest level, the organization should define an "information security policy" that should be approved by management and establish an organization that manages its information The safety goal of the method. Information security policy should be concerned about the following requirements. a) business strategy b) laws, regulations and contracts; c) The current and expected information security threat environment. This information security policy should include statements regarding. a) definition of information security, goals and principles to guide all information security related activities; b) Assign general and specific responsibilities for information security management to defined roles; c) Handling deviations and surprises. At a lower level, this information security strategy should be supported by a thematic-specific strategy that further mandates information Security controls are implemented and are often structured to emphasize the needs of certain target groups within the organization or to cover certain topics. For example, such strategic topics include. a) Access Control (see Chapter 9); b) Classification (and processing) of information (see 8.2); c) Physical and Environmental Safety (see Chapter 11); d) Strategies for end-users, such as. 1) Acceptable use of assets (see 8.1.3); 2) Desktop and screen cleaning (see 11.2.9); 3) Information transmission (see 13.2.1); 4) mobile devices and remote work (see 6.2); 5) software installation and its use restrictions (see 12.6.2); e) backup (see 12.3); f) Information transmission (see 13.2); g) malware prevention (see 12.2); h) Technical vulnerability management (see 12.6.1); i) password control (see Chapter 10); j) Communication security (see chapter 13); k) Protection of privacy and its personally identifiable information (see 18.1.4); l) Supplier relationships (see Chapter 15). These strategies should be communicated to employees and external parties in a form that is accessible, accessible and understandable to the intended reader, for example, Safety awareness, education and training "(see 7.2.2). other information The need for internal information security policies varies by organization. Internal strategies are especially useful for large and complex organizations when these groups The people in the organization who identify and approve the control of the expected level are separated from those who control it, or when the internal strategy is applied at a different organizational People or functions, it is also very useful. Information security policies can be published as a single "information security policy" document or as a Unpredictable but related to a set of documents published in the form. If information security policies are distributed outside the organization, care should be taken not to disclose confidential information. Some organizations use other terms for these policy files, such as "standards" or "rules." 5.1.2 Information Security Strategy Review control Information security strategy reviews should be conducted at planned intervals or when significant changes occur to ensure their continued suitability, adequacy And effectiveness. Realize the guide Each strategy should have a person responsible for the formulation of his strategy, evaluation and evaluation has been approved management responsibilities. The review should include the evaluation team Weaving Strategies and Information Security Management Methods Improve opportunities to adapt to changes in the organization's environment, business conditions, laws and regulations or the technology environment. Information security strategy reviews should consider the results of the management review. Management should be approved for the revised strategy. 6 Information Security Organization 6.1 Internal Organization Objective. To establish a management framework to initiate and control the implementation and operation of information security within the organization. 6.1.1 Information Security Role and Responsibilities control All information security responsibilities should be defined and assigned. Realize the guide The allocation of information security responsibilities should be consistent with the information security policy (see 5.1.1). The responsibility to protect each asset and enforce specific security The responsibility of the process should be clearly identified. It is appropriate to define the responsibility for information security risk management activities, in particular, to accept residual risks. must Where appropriate, more detailed guidance should be provided on site-specific and information processing facilities responsibilities. It is appropriate to define local asset protection and enforcement specific Responsibility for the safety process. Individuals assigned the responsibility for information security can delegate security tasks to other people. In spite of this, they are still responsible and And they should determine if any of the delegated tasks have been properly implemented. Should indicate the area of individual responsibility. In particular, the following should be done. a) identify and define asset and information security processes; b) the entity responsible for the designation of each asset or safety process and the details of which are to be documented (see 8.1.2); c) define the level of authority and form a document; d) Appointed individuals should have the capacity in the area of information security and be given the opportunity to follow up on developments that will enable them to fulfill their information Safety field responsibility; e) The monitoring and coordination of information security in supplier relationships should be identified and documented. other information In many organizations, an information security manager will be appointed to be fully responsible for secure development and implementation and to support the identification of controls. However, the responsibility to provide control of resources and to achieve these controls is often attributed to individual managers. A common practice is for each one Assets Designate a responsible person for the day-to-day protection of the asset. 6.1.2 separation of duties control It is appropriate to separate the responsibilities of conflict and their areas of responsibility in order to reduce the chance of unauthorized or unintentional changes or improper use of the assets of the organization. Realize the guide It should be noted that no one can access, modify and use the asset without authorization or monitoring. Should put an activity started with Its authorization phase separated. In designing this control, the possibility of collusion should be considered. Small organizations may find it difficult to achieve such segregation of duties, but whenever possible and feasible, the principle should be applied as much as possible. in case Difficult to separate, other controls should be considered, such as monitoring of activities, audit trails and regulatory oversight. other information Duties separation is a way to reduce the risk of accidental or deliberate abuse of organizational assets. 6.1.3 Contact with functional agencies control Appropriate linkages with relevant functional agencies should be maintained. Realize the guide The organization should have procedures that indicate when and which functional agency (eg, law enforcement, regulatory, regulatory authorities) to contact, and How to report identified information security incidents in a timely manner (eg, identified information security incidents may be in breach of law). other information An attacker from the Internet may need a functional agency to take action against the attacker. Maintaining such links may be in support of Information Security Incident Management (Chapter 16) or Business Continuity and Contingency Planning (Chapter 17) Request. Contact with the regulatory authorities also helps to anticipate the anticipated changes in laws and regulations that organizations must implement and to make advance ready. Connections to other sectors include utilities, emergency services, power supply, health and safety sectors such as fire stations Continuity), telecom providers (related to routing and availability), water departments (related to equipment cooling). 6.1.4 Contact with specific stakeholders control Appropriate links with specific stakeholders, other professional security forums and professional associations should be maintained. Realize the guide Consideration should be given to using the relationship of a particular stakeholder or forum member as a means of. a) to promote best practice knowledge and to keep abreast of the latest relevant safety information; b) ensure that an informed information security environment is up-to-date and comprehensive; c) Obtain previous warnings, bulletins and patches on attacks and vulnerabilities; d) get advice from information security experts; e) share and exchange information on new technologies, products, threats or vulnerabilities; f) Provide appropriate contact points when dealing with information security incidents (Chapter 16). other information Information sharing protocols can be established to improve coordination and coordination of security issues. Such an agreement should identify the relevant protection of confidential information Claim. 6.1.5 Information Security in Project Management control Should be concerned about the project management information security issues, no matter what type of project. Realize the guide Information security should be integrated into the organization's project management approach as part of a project to ensure that information security is identified and emphasized risk. This generally applies to all projects, regardless of their characteristics, such as core business processes, IT, facilities management and other support processes And other aspects of the project. The project management method used should require. a) Information security goals are included in project goals; b) To identify the necessary controls, an information security risk assessment should be conducted at an early stage of the project; c) Information Security as part of each phase of the project management methodology used. Information security issues should be addressed and regularly reviewed in all projects. It is advisable to define information security responsibilities and assign them to project management methods In the definition of specific roles. 6.2 Mobile devices and remote work Objective. To ensure the safety of mobile devices workin...... ......
 
Source: Above contents are excerpted from the PDF -- translated/reviewed by: www.chinesestandard.net / Wayne Zheng et al.